DAY2™ adheres to a least-privileged permission model throughout all platform operations. Our goal is to ensure that our customers have complete control over the permissions they grant and to limit the scope of our access to each operation.

In DAY2™, we create a specific role with the bare minimum permissions and Service Principal/App Registration for the resource discovery. The custom RBAC roles that are associated with the Service Principal in your Azure subscription have the least necessary permissions.

These roles are created in your Azure subscription for Resource Discovery (Initial Resource Discovery and Real-Time Resource Discovery).

Described below are the custom RBAC permissions assigned to the service principal in the subscription.

  1. Reader Role
    Azure inbuilt Reader role that reads all the resources inside the subscription.

  2. Custom Role

    1. Resource Group
      Read/Write resource groups in the Subscription.

    2. Event Grid
      Read/Write event grid in the Subscription.

    3. Event Subscription
      Read/Write Event in the Subscription.

    4. Logic Apps
      Read/Write in the Subscription.

    5. Web App
      Read/Write Connections and Connection Gateways in the Subscription.

    6. Microsoft.Authorization
      Read - Role assignments and Role Definition in the Subscription.

For granular details of permissions for each of these areas, contact us at